RSA is an easy scapegoat for the successful hack on Lockheed, but end-user ignorance was the critical security weakness

InfoWorld|Jun 6, 2011

Hackers successfully used stolen token data from RSA to break into Lockheed Martin's networks, according to various reports, but the EMC security division isn't entirely to blame for the breach. Rather, bad guys also had to swipe user data from Lockheed, such as login information and passwords, to exploit the company's SecurID-protected systems.

The entire saga, alongside the host of other high-profile attacks in recent weeks, is a clear sign of just how effective and dangerous cyber criminals have become and the threat they pose not just to the corporate world -- RSA may lose some credibility among its customers -- but potentially to the entire country.

RSA suffered a high-profile security breach last March, via an APT (advanced persistent threat) through which malicious hackers made off with data about RSA SecurID two-factor authentication token system. When revealing the attack, EMC indicated that while "the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, [it] could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

EMC's warning has been proven prophetic: Defense giant Lockheed Martin suffered a breach last week, and according to RSA, the perpetrators pulled of the attack using the stolen SecurID information. Notably, though, the attackers must have swiped user info from Lockheed in order to make use of the purloined token data, according to security analysts. This may have been accomplished the same way hackers managed to break hack RSA's systems in the first place: Via social-engineered phishing attacks that duped users into surrendering their passwords to bad guys.

How RSA will weather the storm of bad publicity that comes with the breach remains to be seen. At least two major defense companies, Raytheon and Northrop Gruman, have already dumped RSA for another token provider. But perhaps as an acknowledgement that RSA won't be the scapegoat here, Lockheed is reportedly sticking with the security company; RSA is in the process of replacing 45,000 its customers' SecurID tokens.

In the grand scheme of things, however, the successful breaches of RSA and Lockheed should put both the corporate world and the U.S. government on even higher alert. We've seen that hackers are capable of grabbing the data necessary to hack a major supplier of IT security gear (RSA), then quickly leveraging that theft to break into the systems of America's largest defense contractor (Lockheed). Whatever data resides in Lockheed's databases undoubtedly has huge value on the black market, whether for rival defense companies here and abroad or for terrorist groups and rogue nations.

Meanwhile, hackers have also reportedly pounded away at other major defense companies, including the aforementioned Northrop as well as L-3 Communications. Those companies aren't disclosing whether the attacks have been successful, though Northrop did reportedly shut down remote access to its network without warning at late March, after the RSA breach.

The bottom line here is that bad guys are effectively waging war on various cyber fronts in the United States, using APTs and social engineering attacks that exploit a network's weakest link: user ignorance. Meanwhile, we don't seem to know where all the attacks are coming from; for example, did the group that hacked RSA also hack Lockheed, or did the first group sell the spoils of its hack to the second?

Unfortunately, there's no evident quick fix, either, though security expert and InfoWorld blogger Roger Grimes has proposed a plan to fix the Internet in relatively short order. In the short term, though, end-user education seems to be among the most critical defenses against would-be hackers.